Change the default value of VerifyHostKeyDNS to "yes" if compiled with

LDNS.  With that setting, OpenSSH will silently accept host keys that
match verified SSHFP records.  If an SSHFP record exists but could not
be verified, OpenSSH will print a message and prompt the user as usual.

Approved by:	re (blanket)

crypto/openssh/readconf.c

@@ -1435,8 +1435,14 @@ fill_default_options(Options * options)
 		options->enable_ssh_keysign = 0;
 	if (options->rekey_limit == -1)
 		options->rekey_limit = 0;
+#if HAVE_LDNS
+	if (options->verify_host_key_dns == -1)
+		/* automatically trust a verified SSHFP record */
+		options->verify_host_key_dns = 1;
+#else
 	if (options->verify_host_key_dns == -1)
 		options->verify_host_key_dns = 0;
+#endif
 	if (options->server_alive_interval == -1)
 		options->server_alive_interval = 0;
 	if (options->server_alive_count_max == -1)

crypto/openssh/ssh_config

@@ -46,4 +46,5 @@
 #   PermitLocalCommand no
 #   VisualHostKey no
 #   ProxyCommand ssh -q -W %h:%p gateway.example.com
+#   VerifyHostKeyDNS yes
 #   VersionAddendum FreeBSD-20130515

crypto/openssh/ssh_config.5

@@ -1219,7 +1219,10 @@ The argument must be
 or
 .Dq ask .
 The default is
-.Dq no .
+.Dq yes
+if compiled with LDNS and
+.Dq no
+otherwise.
 Note that this option applies to protocol version 2 only.
 .Pp
 See also